New Ledger firmware opens up a backdoor to your seed phrase

in #backdoor2 years ago (edited)

Screenshot 2023-05-16 at 7.44.34 PM.png

Source

I usually do not publish posts like this, but WTF Ledger?

For a "security" company, being previously involved in a massive data breach scandal was bad enough to not recommend anyone their devices (and making me feel better about my failed project years ago), but now this?

The new firmware (v2.2.1) that apparently just came out basically has the ability for your seed phrase to leave your device to some 3rd party custodians, which defeats the entire purpose of whatever they advertised. This kind of thing should never happen on a cold wallet, no matter what it is meant for.

The so called "recovery service" means that 3 custodians collectively have your seed phrase (plus your KYC details) that can access your coins through the encryption key that they hold. What is the whole point of using a hardware wallet then?

There are much better ways for us to do this

Just set up a multisig wallet consisting of multiple cold wallets and distribute the key shares however you choose. This can depend on the coin/token and network. As for Hive, this isn't very convenient as of publication but there is a proposal that you can support for this.

There are 3rd party services that help you to do this properly by holding only one of the key shares for recovery, which is far from enough to reach the quorum of common multisig setups (i.e. 2-of-3) to spend your coins.

Do not update

If you own a Ledger device, do not update your firmware or even Ledger Live. This goes to the show that this kind of thing is totally possible through a firmware update from Ledger themselves.

Consider moving your coins to another hardware wallet (or rotate/set up a multisig). If you are using your Ledger for your Hive account, consider dissociating it (in the advanced tab of hiveledger.io) and use another cold storage solution instead.

I have been using my Nano S personally for 4 years and will consider doing the above. At most I will use it only as a Fido U2F authenticator if I take any actions. Don't ask me what else I can recommend because I can't at the moment.

Sort:  

Fully understand what you mean but isn’t this whole backup seed phrase thing only done/possible if you subscribe to this new service they are offering?

That's what they said, never know when a vulnerability will be discovered to bypass these opt-ins for a remotely-executed attack.

Understand 👍🏻

Gracias por la infromacion Ledger esta cabando su tumba y demuestra no ser tan segura como dice ser involucar a un tercero no sirve

if you cant update your firmware you can throw things thing away. you also need updates for bug fixes anyway.

i got a Trezor at hand but wasnt satisfied with UI. will change when i here about the first real breach on twitter. I am pretty sure, this will take a while.

True, eventually apps will not install anymore on older firmware 😬

The ledger device can't communicate with the outside without the help of an app. If you use something proper like Specter, you are good.
It's a subscription service, you even need to pay. Lol. Like the state. You pay for "Services" that are against your original interests. Contrary to state "Services" you can opt to not subscribe to it here. :D

The service should not exist at all, or at least should be sold as an unrelated product. This update breaks the very feature that we all bought these products for and what is being advertised, the seed must never leave the device to be exposed over the internet, in any circumstance.

hahahahaha bruh
It keeps getting worse?

the irony - while everyone rushed to the ledgers for the "security" in the past

DO NOT TRUST - VERIFY

fucking noobs :/